I have a problem with a pix xlate entry. I'm able to ping across a pix with the 1.1.48 scope but not a routed 10.1.50 routed packet. I know the packet is getting to the pix b/c I can ping the inside interface but for some reason it won't go across it. With source l3 address. Thanks.
my config is below
interface ethernet0 auto shutdown
interface ethernet1 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet5 intfail security10
access-list 161 permit ip any any
access-list 160 permit ip any any
access-group 161 in interface inside
access-group 160 in interface outside
ip address inside 10.1.48.2 255.255.255.248
ip address outside 126.96.36.199 255.255.255.240
nat (inside) 1 10.1.0.0 255.255.0.0
global (outside) 1 188.8.131.52 netmask 255.255.255.240
For inside users to be able to ping external hosts, you need to permit Internet Control Message Protocol (ICMP) echo reply packets back through the PIX. The PIX does not dynamically open up access for the ICMP reply packets.
The solution is to apply an access-list to the outside interface permitting echo reply packets back in.
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-group 101 in interface outside
This allows only these return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages.
For more information, refer to Handling ICMP Pings with the PIX Firewall.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...